CVE-2026-5669
Received Received - Intake
SQL Injection in Cyber-III Student-Management-System /login.php

Publication date: 2026-04-06

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. This vulnerability affects unknown code of the file /login.php of the component Parameter Handler. Such manipulation of the argument Password leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2026-04-06
EPSS Evaluated
2026-05-05
NVD
CVE-2026-5669
EUVD
EUVD-2026-19396
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cyber-iii student-management-system to 1a938fa61e9f735078e9b291d2e6215b4942af3f (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability is a time-based blind SQL injection in the login.php script that allows attackers to extract sensitive database information by exploiting unsanitized user inputs.

Such unauthorized access to sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Therefore, this vulnerability potentially compromises compliance with these standards by exposing sensitive user data to attackers.


Can you explain this vulnerability to me?

CVE-2026-5669 is a time-based blind SQL injection vulnerability found in the /login.php script of the Cyber-III Student-Management-System. The vulnerability occurs because the script directly concatenates user-supplied username and password parameters into an SQL query without sanitization or parameterized queries.

Although the application performs strict type comparison after retrieving stored credentials, preventing straightforward login bypass, an attacker can exploit this vulnerability to extract sensitive database information by leveraging time delays in the server's response.

For example, sending a specially crafted POST request with SQL commands that cause the server to delay its response confirms the presence of this vulnerability.

The recommended fix is to avoid direct concatenation of user inputs into SQL queries and instead use parameterized queries (prepared statements) to separate SQL logic from user input, preventing injection attacks.


How can this vulnerability impact me? :

This vulnerability allows a remote attacker to perform a time-based blind SQL injection attack on the login functionality of the Student-Management-System.

By exploiting this, an attacker can extract sensitive information from the database, such as user credentials or other confidential data, without needing to bypass login directly.

This can lead to unauthorized data disclosure, potential data breaches, and compromise of the system's integrity and confidentiality.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by sending a specially crafted POST request to the /login.php endpoint that includes a time-based blind SQL injection payload in the username parameter.

For example, sending the following POST request and observing a delay in the server response indicates the presence of the vulnerability:

  • POST /login.php HTTP/1.1
  • Host: 127.0.0.1:3000
  • Content-Type: application/x-www-form-urlencoded
  • login=Sign+in&username=admin' OR SLEEP(5) AND '1'='1&password=any

If the server response is delayed by approximately 5 seconds, it confirms the presence of the time-based blind SQL injection vulnerability.


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to avoid direct concatenation of user inputs into SQL queries.

Instead, use parameterized queries (prepared statements) to separate SQL logic from user input, which prevents SQL injection by treating user inputs as data rather than executable code.

An example fix using MySQLi prepared statements is:

  • $stmt = $conn->prepare("SELECT * FROM login_tbl WHERE username = ?");
  • $stmt->bind_param("s", $username);
  • $stmt->execute();
  • $result = $stmt->get_result();

Alternatively, PDO with prepared statements can be used to achieve the same protection.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart